How to Protect Your Google Analytics From Getting Hacked

Within 15 minutes, anyone with a decent amount of traffic to their own site can completely CORRUPT your Google Analytics data. It’s easy, simple, and once the data is corrupted, you can’t fix the data that’s already been collected.

I’m going to show you exactly how to hack Google Analytics. Then I’m going to tell you how to protect yourself.

And as a super secret bonus, I’ll show you how to get the attention of a fellow marketer if you’re applying for a job, trying to close a deal, or just want to show off your Google Analytics chops.

First, let’s dive into how someone can corrupt your data.

How To Corrupt Google Analytics Data

First, we need a quick overview on how the Google Analytics Tracking Code works. Here’s the tracking code:

This code is on every page of your site (at least it’s supposed to be). Each time a page loads, it executes this JavaScript and records a pageview along with other relevant data. Unless you customize the code yourself, it looks exactly the same on every site.

Google Analytics needs a way to keep track of which data comes from which site. To do this, it uses a Property ID (also called a Tracking ID). It’s completely unique to each Google Analytics account. It also gives you complete control of where your data goes.

The red box above shows you where to find this delicious little nugget.

For example, if you want data from multiple sites to go to the same account, use the same Property ID on each. Google Analytics will then track everything as if it’s a single site. Be careful though, I don’t recommend doing this unless you really know what you’re doing. In order to tell what is happening on a specific site, you’ll need to separate your data back out with filters or tell the Google Analytics Tracking Code to send data to multiple accounts. Both options are fairly advanced and not for the faint of heart.

As long as we have the Google Analytics Property ID, we can send data to ANY Google Analytics account we want.

So if someone gets a hold of your Property ID and wants to corrupt your data with their data, it’s very easy to do so.

Corrupting Data: Step-by-Step

Let’s say you REALLY hate me because I ate all your gummy bears. You’re SO angry about not getting your gummy bears that you want to ruin all of my Google Analytics data. I have a site at LarsLofgren.com that’ll be perfect for exacting your vengeance.

Now, you want to find my Google Analytics Tracking Code (where you’ll find my Property ID). To find it, hit control+F or command+F and search for “ga.js”. This is the Google Analytics file that does all the analytics grunt work and will bring you right to my Property ID.

This is what you’ll find:

And BAM, you now have my Property ID which is UA-23929748-1. If you plug this Property ID into any other site, my data will become a mess and I won’t be able to use any of it.

Go to your Google Analytics Tracking Code, trade your Property ID for mine, and the Google Analytics servers will take care of the rest. Your revenge will be complete and I’ll feel appropriately sorry for eating your gummy bears.

Is There a Way to Fix the Data Once it’s Corrupted?

Nope. Google Analytics collects raw data all day. At the end of the day, they run your raw data through filters, goals, and profiles to get the final report. That’s what you see when you log into Google Analytics. Once the data is compiled, there’s no going back. So if two sites are sending data to the same account, there’s no way to separate the data once it’s in your reports.

Your only option is to protect yourself and keep all of your future data clean.

How to Protect Yourself

All you need is a simple filter. It will only include traffic on your domain, protecting yourself from any data corruption when people hijack your Google Analytics Property ID.

To find your filters:

Go to your Google Analytics standard reports

Click on the “Admin” button in the top right

Click on “Filters”

Click “+ New Filter”

Then use these settings for your filter:

Select “Create New filter for Profile”

Name your filter with something snazzy like “Hacking Defense”

Select “Custom Filter”

Select “Include”

For the Filter Field, select “Hostname”

If your site is LarsLofgren.com, you would define the filter pattern as “larslofgren\.com” and make sure to include a “\” before any “.”

Pick “No” for case-sensitive

You’ll get a filter that looks like this:

Hit the save button and you’re all set. Your Google Analytics profile will now be hacker proof.

WARNING: Make sure you test this filter on your Test Profile (One of the 8 Google Analytics Features Every Site MUST Have Enabled). If you don’t set everything up correctly, you could delete all of your data while the filter is active. So apply it to your Test Profile first, make sure everything works, then add it to your main profile.

Including Multiple Domains on Purpose

Some of you will be collecting data from multiple domains intentionally. A common example is merging data from different country domains. Let’s say that I include traffic from LarsLofgren.com and LarsLofgren.co.uk in the same Google Analytics profile. If I use the filter above, I’ll only see traffic on LarsLofgren.com.

With a little regular expression magic, I can include both. Instead of defining the filter pattern as “larslofgren\.com”, I’ll use “larslofgren.com\.com|larslofgren\.co\.uk”. Since the “|” acts as an “and” symbol, this tells Google Analytics to include traffic from both these domains.

All the other settings are exactly the same. My new filter would look like this:

The filter pattern is set to “larslofgren\.com|larslofgren\.co\.uk” even though you can’t quite see it in the screenshot.

Why Would Someone Want to Hack You?

I’ve seen hacking occur for two reasons:

Evildoers Want to Corrupt Your Data: If you pissed the wrong person off, they may want to make your life as miserable as possible. And with a large enough site, they could inject all their traffic data into yours. This will make it impossible for you to learn anything about your customers and traffic.

Spammers Driving Traffic: You’re more likely to see situations where spammers inject data into your reports. Their goal is to perk your curiosity and get you to come to their site, resulting in more traffic for them. I think this is a terribly inefficient for building traffic (even for spammers) but people do it.

How to Hack a Campaign Report and Get Noticed By Other Marketers

This hacking method isn’t nearly as nefarious as the first. While we’re going to inject our own data into someone’s report, we’ll only mess with the campaign data. The rest of their data will remain untouched.

If you’re classy about it, you can get a custom message into someone else’s campaign reports. Say you’re trying to close a client, land a job, or make a connection. This method is perfect for getting the attention of another internet marketer.

Let’s back up for a moment. Google Analytics allows us to track our marketing campaigns by adding UTM parameters to our links. Basically, you define a few variables (the name of your campaign, where the link is located, etc.) and you can see which links drove traffic and conversions to your site. So if you have an email campaign, banner ads, and Facebook ads for a marketing campaign, you can see which ones are actually working.

But there’s nothing stopping me from creating campaign URLs for someone else. All I have to do is create the link, send traffic through it, and I can insert any message I want into someone else’s campaign reports.

Here’s how it works:

1. Confirm that the site is using Google Analytics. Just like the last hacking method, go to their site, view page source, and search for ga.js. All you need to do is confirm that they’re using Google Analytics, you don’t need to grab anything like the Property ID. If the site doesn’t use Google Analytics, this won’t work.

2. Build Your URL. Go to the Google Analytics URL Builder and setup your link. Enter in the homepage of the URL that you’ll be sending traffic to, and then insert a message in the Campaign Name field. The Campaign Name is displayed first in the campaign reports and also comes up in the traffic source reports. By putting your message here, you’ll have the best chance to get noticed. For Campaign Source, put your name so they can easily connect the dots. You’ll also need to fill in the Campaign Medium field since it’s required. Avoid all punctuation and symbols in all fields. Once you’re ready to go, click “Generate URL.”

3. Send Traffic. Place your URL in a location where it will get plenty of clicks. If you have a large email list, blog, or Twitter following, spread the link to your audience. Success depends entirely on the size of the site that you’re sending traffic to. The larger the site, the more traffic you’ll have to pass through the link for it to get noticed.

Once the link is live and your minions have clicked on it, Google Analytics will now report visits from the campaign that you’ve set up. Queue maniacal laughter.

Rapid Fire Recap

Anyone can populate your Google Analytics reports with their own data. Since you can’t separate the data back out, it’ll prevent you from learning anything about your visitors.

To protect yourself, set up a quick filter that only includes data from the domains you want to track. Make sure to apply this filter to your Test Profile first to make sure you set it up correctly.

If you want to get someone’s attention, insert a message into their campaign reports using the Google Analytics URL Builder. Link to a page on their site, add a message to the end of the URL via the UTM parameters, and drive traffic through the link. The more people that use the link, the better the chance you have of someone noticing it.

So set up your filters and protect yourself from Google Analytics evildoers!

Seriously, go set up your filter right now. This is probably the most important filter you’ll set up on your site.

About the Author: Lars Lofgren is the KISSmetrics Marketing Analyst and has his Google Analytics Individual Qualification (he’s certified). Learn how to grow your business at his marketing blog or follow him on Twitter @larslofgren.

How to Optimize Your Growth with KISSmetrics

Learn how to optimize your conversions and acquire more customers with KISSmetrics!

Beatrix, I’ve seen a ton of instances of this occurring, but it’s usually not malicious. Having the hostname filter in place is a good precaution to take at the beginning of a project, after reviewing the other hostnames to see what needs to get through. (For example, if you’re trying to track online chats or other tools, you’d need to add those hostnames, as well… but that gets into a whole other topic!)

Thinking that filtering hostname by regular expression “larslofgren\.com” would protect the account is a very common newbie mistake. It would still allow requests from e.g. larslofgren.com.example.com. The correct regular expression to match the domain would be “^(www\.)?larslofgren\.com$”. To match other subdomains, “^(\w+\.)*larslofgren\.com$” can be used. Or, you can use other filters with options that require “exact match” or “ends with”. (Sorry if those terms are not correct or accurate, I’m not using Google Analytics in English.)

And still it’s possible to ruin someone’s Google Analytics account. A simple hostname filter won’t help either. If I have a high traffic site I can use the serverside GA code (that Google provides for mobile tracking) to send pageviews. In that script you can change the hostname to whatever you want…

I am not a regex expert, I struggle with it. But I think a “pipe” character (e.g. “||) in regex means “OR” rather than “AND” which means the following paragraph excerpted from your post could be confusing…I could be wrong though!

With a little regular expression magic, I can include both. Instead of defining the filter pattern as “larslofgren\.com”, I’ll use “larslofgren.com\.com|larslofgren\.co\.uk”. Since the “|” acts as an “and” symbol, this tells Google Analytics to include traffic from both these domains.

Great post, Lars. Your hands on instruction on hacking Google Analytics, and then how to protect yourself from getting hacked is powerful. I am including your post in ‘Best of the Web’ j3webmarketing.com/best-web so even more people can benefit from your post and protect themselves. Thank you.

Is there any way of simply hiding your UA code under an umbrella ga.js file or something so that the Google Analytics ID number isn’t on show?

Really interesting by the way, good ideas for simply segregating campaigns too (I often track my event pages on Eventbrite within my Google Analytics but don’t separate them – will do now!). Thanks Lars!

It seems like a pretty easy thing to bypass. For instance, I can edit my local hosts file and make your website point to any site I choose. The “Host” request header will still show your site, but I can track page hits from other places.

This just happened to a new client’s website. He was wondering why his conversion rates were so terrible while he was receiving 1200 daily visits. I investigated by monitoring the real-time for three hours and found it suspicious no one was navigating away from the home page but once or twice. Created a new Analytics account (and implemented your tips above), yesterday his traffic dropped to 120 visits and conversion rates are now spot on. Thanks so much for this article!